Transcript Address Space Layout Permutation

Computer Science
Address Space Layout Permutation
Chongkyung Kil
Systems Research Seminar
10/06/05
1
Overview
•
•
•
•
•
•
•
Problem Description
Current Approaches
Limitations of Current Approaches
Solution
Evaluation
Limitations
Conclusions and Future Work
Computer Science
2
The Problems: Memory Corruption
• Memory Corruption Vulnerability
– Popular means to take control of target program
– 50-80% of US CERT Alerts
• Common Memory Corruption Attacks
– Buffer overflows, format string exploits, return-tolibc attacks
– Successful attacks cause a remote code execution
Computer Science
3
Memory Corruption Attack Example
Stack Frame
c
o
d
e
b
u
f
r
e
t
a
d
d
r
Exploit!
3 GB
Attack packet:
NOP NOP NOP NOP
Computer Science
Attacker’s code
retAddr
retAddr
retAddr
retAddr
retAddr
4
Ad-hoc Solutions
• Static Analysis
– MOPS, CQUAL, SLAM, etc
• Dynamic Analysis
– StackGuard, PointGuard, Taintcheck, etc.
• Most target specific type of known attacks
Computer Science
5
A Generic Solution: Randomization
• Critical Observation
– Attackers use absolute memory addresses during the attacks
• Nullify Attacker’s Assumption
– Makes the memory locations of program objects unpredictable
– Forces attackers to guess memory location with low
probability of success
• Benefit
– Protection against known and unknown memory corruption
attacks
– Downtime better than system compromise
Computer Science
6
Attack Example: With Randomization
Stack Frame
c
o
d
e
b
u
f
r
e
t
a
d
d
r
b
u
f
crash
3 GB
Computer Science
7
A Generic Solution: Randomization
• State-of-the-Art Approaches
– Kernel level approaches
• Exec-Shield, PaX Address Space Layout Randomization
(ASLR)
– User level approach
• Address Obfuscation
Computer Science
8
Randomization Examples
Fig 1. Normal Process Memory Layout
Fig 2. PaX ASLR Process Memory Layout
Computer Science
9
Limitations of Current Approaches
• Kernel Level Approaches
– Low entropy: heap 13 bit, mmap 16 bit, stack 24 bit
• De-Randomization attack can defeat PaX ASLR in about 4 minutes
– Kernel modification required
– Pad wastes memory space. Increasing randomness means wasting more
memory by pad
– Locations of code and data segments can be randomized with PIE
• Causes performance overhead (14%)
• User Level Approaches
– Source-to-source transformation
– Wastes memory space by pad
– Runtime overhead: 11-23%
Computer Science
10
Solution
• Goal
– Increase randomness entropy
– Low overhead with negligible pad size
– No need of source code modification
• Address Space Layout Permutation
– A novel binary rewriting tool
• Permutes code and data segments with fine-grained randomization
– A modified Linux kernel
• Permutes stack, heap, and mmap areas
Computer Science
11
Contributions
• Stronger Protection than Related Works
– Provides maximum 29 bits of randomness
– Fine-grained randomization on static code and data
segments
• Low Performance Overhead (less than 1%)
• Ease of Use: Automatic Program Transformation
• Non-Intrusive Randomization: No Need for Source
Code Modification
– Only need relocation info in the program
Computer Science
12
ASLP Implementations
• User Level Address Permutation
– Uses binary rewriting technique
– Alters base addresses of static code and data segments
– Changes orders of functions and variables within the code
and data segments
– Mitigates partial overwrite attacks, dtors attacks, bss
overflow, and data forgery attacks
• Kernel level address permutation can not deter these attacks
– Works with Linux file format (ELF)
Computer Science
13
Partial Overwrite Attacks
Stack Frame
code
f
u
n
c
V
u
l
b
u
f
f
u
n
c
Exploit!
r
e
t
a
d
d
r
3 GB
Computer Science
14
Dtors Attacks with Coarse-grained
Stack Frame
code
data
v
a
r
1
v
a
r
2
v
a
r
3
v
a
r
4
d
t
o
r
s
M
A
I
N
r
e
t
b
u
a
d
f
d
Exploit!r
3 GB
Computer Science
15
Dtors Attacks with Fine-grained
Stack Frame
code
data
v
a
r
3
v
a
r
1
v
a
r
2
v
a
r
4
d
t
o
r
s
M
A
I
N
b
u
f
r
e
t
a
d
d
r
3 GB
Computer Science
16
ASLP Implementations
• Kernel Level Address Permutation
– Randomizes the base addresses of stack, heap, and mmap()ed regions
– Mitigates attacks on the stack , heap, and shared library
regions
– Done by previous work: Chris Bookholt
Computer Science
17
ASLP Implementations
• Object Reference
Fig 3. Object Reference Example
Computer Science
18
ASLP Implementations
• Challenges
– What parts of an ELF file need rewriting?
– How do we find the correct locations of those parts
and rewrite them?
– How those parts affect each other during run time?
• How to find cross-references between program objects
Computer Science
19
ASLP Implementations
• Challenges
– What parts of an ELF file need rewriting?
• Total of 12 sections need to be modified
– How do we find the correct locations of those parts
and rewrite them?
• Use .symtab section (symbol tables and string tables)
– How those parts affect each other during run time?
• Use relocation sections (e.g. .rel.text, .rel.data)
Computer Science
20
ASLP Implementations: User Level
• Two phases: Coarse-grained and Fine-grained Permutation
• Coarse-grained Permutation
– Relocates static code and data segments
• Benefit
– Provides 20 bits of randomness to each segment
• Coarse-grained Permutation Process
– ELF header rewriting: modify the program entry point (e_entry)
– Program header rewriting: modify virtual/physical addresses of code
and data segments
– Section rewriting: modify 12 sections including symbol table,
procedure linkage table, global offset table, relocation data
Computer Science
21
ASLP Implementations: User Level
Fig 4. ELF Header and Program Header Before Permutation
Fig 5. ELF Header and Program Header After Permutation
(Move Code Segment by 4KB and Data Segment by 14KB)
Computer Science
22
ASLP Implementations: User Level
Fig 6. PLT & GOT Before Permutation
Computer Science
Fig 7. PLT & GOT Before Permutation
23
ASLP Implementations: User Level
• Fine-grained Permutation
– Randomly changes the orders of functions and variables in the code and
data segments
• Benefit
– Provides further protections on code and data segments
• Fine-grained Permutation Process
– Information Gathering: total number of functions and variables, original
order and sizes of each function and variable, etc
– Random Sequence Generation: two random sequences
– Entry Rewriting: re-order the functions and variables
• Modify cross-references (relocation sections)
Computer Science
24
Demonstration of Permutation
Fig 8. Normal Process Memory Layout
Fig 9. Process Layout after Coarse-grained Permutation with ASLP Kernel
Computer Science
25
Demonstration of Permutation
< Before the permutation >
< After the permutation >
Fig 10. Example of Fine-grained Permutation (Data Segment)
Computer Science
26
Security Evaluation
Randomized Bits in Allocation Addresses
35
Bits of Randomness
29
28
30
24
25
20
20
17
20
20
16
15
13
13
Exec-Shield
PaX ASLR
ASLP
12
10
5
0
0
0
0
0
Stack
Heap
Mmap
Code
Data
Randomized Regions
- Randomness example: 220 possible locations/2 = 524K average guesses needed
Computer Science
27
Security Evaluation
Time To Derandomize Regions
10000000
1769515.2
884757.6
Seconds ToDerandomize
1000000
100000
27648.68
10000
1000
3456.08
3456.08
3456.08
431.01
ASLP
216
100
27
Exec-Shield
PaX ASLR
27
13
10
0
0
0
0
1
Stack
Heap
Mmap
Code
Data
Randomized Regions
152 Guesses Per Second
Computer Science
28
Performance Evaluation
• CPU 2K Benchmark
– All kernel level approaches show less than 0.3% including ASLP
• Randomizes Stack, heap, and mmap regions
– ASLP shows better performance on user level approaches
• Randomizes Code and data segments
• ASLP (-0.3 %) , PIE (14.38%), Address obfuscation (11%)
• LMBench Benchmark
– Tests only kernel level approaches (micro benchmarks e.g.contextswitching overhead)
– ASLP shows 50% better performance compared to other techniques
• fork(), exec(), and context-switching
Computer Science
29
Performance Evaluation
• Apache Benchmark
– Measures the performance of web server
– Tests 1 million requests with 100 worker processes
– All techniques incur less than 1% overhead
• Except PIE: 14%
Computer Science
30
Limitations
• Information Leakage
– Location information can be leaked
• via bugs or format-string attack
– Applies to all randomization techniques
• Protection is Probabilistic
– Brute force de-randomization attack will
eventually succeed (e.g. modified return-to-libc
attack [20])
– With IDS integration, de-randomization could be
detected and blocked
Computer Science
31
Conclusions and Future Work
• ASLP provides both user/kernel level
randomization
• ASLP allows users to permute static code and
data segments with fine-grained level.
• Effectiveness
– More randomness, more time to respond to attacks
– Low overhead, greater unpredictability
• Stack frame layout permutation will add
stronger protection
Computer Science
32
Questions?
Thank you for coming
Computer Science
33